CVE-2025-48038 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and CWE-400 (Uncontrolled Resource Consumption) affecting the Erlang Open Telecom Platform (OTP), specifically within the ssh_sftp modules responsible for SSH and SFTP services. The vulnerability exists in the program files lib/ssh/src/ssh_sftpd.erl and impacts OTP versions from 17.0 through 28.0.3, including ssh package versions 3.0.1 through 5.3.3 and their respective patch releases. The core issue is that the ssh_sftp server component does not impose sufficient limits or throttling on resource allocation during operation, allowing an attacker to trigger excessive resource consumption. This can lead to resource leaks and exhaustion, potentially causing denial of service (DoS) by depleting memory or other system resources. The CVSS 4.0 base score is 5.3 (medium), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and limited impact on availability. The vulnerability does not affect confidentiality or integrity directly but can degrade service availability. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability is significant for systems running Erlang OTP-based SSH/SFTP servers, commonly used in telecom, messaging platforms, and distributed systems.

The primary impact of CVE-2025-48038 is on system availability due to uncontrolled resource consumption. An attacker with network access can exploit this vulnerability to cause excessive allocation of system resources such as memory or CPU cycles, leading to resource exhaustion and denial of service. This can disrupt critical services relying on Erlang OTP's SSH/SFTP capabilities, impacting business continuity and operational stability. Although confidentiality and integrity are not directly compromised, service outages can indirectly affect organizational reputation and trust. Organizations running Erlang OTP in telecom infrastructure, cloud services, or messaging platforms may face significant operational risks. The medium CVSS score indicates moderate ease of exploitation and impact, but the widespread use of Erlang OTP in critical systems elevates the threat. The lack of known exploits currently limits immediate risk, but the vulnerability remains a concern until patched.

1. Apply patches or updates from the Erlang OTP project as soon as they become available for versions 17.0 through 28.0.3 and associated ssh packages. 2. Until patches are released, implement network-level rate limiting and connection throttling on SSH/SFTP services to reduce the risk of resource exhaustion attacks. 3. Monitor resource usage metrics closely on systems running Erlang OTP ssh_sftp modules to detect abnormal spikes indicative of exploitation attempts. 4. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect unusual SSH/SFTP traffic patterns. 5. Isolate Erlang OTP SSH/SFTP servers in segmented network zones with strict access controls to limit exposure. 6. Review and harden SSH/SFTP configuration to disable unnecessary features and reduce attack surface. 7. Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service events. 8. Engage with Erlang OTP community and security advisories to track patch releases and vulnerability disclosures.